So, it *seems* to be working, pretty much. I needed to install opensc, openct pcsc-lite, pcsc-lite-openct, and ctapi-common will be installed as a dependency.
I *removed* coolkey and esc, which depended on it. 100% of the time, they misidentifed the new/current US federal ID PIV-II cards as coolkey cards, and popped up this "phone home" window, then a "manage smartcards" window.
Without them, I also don't see an icon in the taskbar... but using ssh-add (actually, my manager built openssh, opensc and openct from current source, 5.4? 5.5?, and renamed stuff to piv-....), so I do piv-ssh-add -s opensc-pkcs11.so, and it adds the card. Before you do that... configure /etc/pam_pkcs11/pam_pkcs11.conf so that # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = opensc; and you may have to decide on a mapper. Then restart pcscd, and you should be good to go.
At any rate, no wrong/confusing windows, and logins work. I do note that if I try to use my regular password, I need to pull my card out of the reader.
On a related note, from WinDoze, there's a version of putty that works http://www.risacher.org/putty-cac/putty-cac-experimental/windows/?C=N;O=D. Once installed, when you bring up the putty window, click on expand ssh, then click on pkcs. The one thing needed is the right dll, which, if you're running a 64 bit system, and using, say, ActivIdentity, c:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll
MAKE SURE you get the right .dll; if you're running 32 bit, it will be the other one.
mark
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us Sent: Wednesday, December 15, 2010 13:55 To: CentOS mailing list Subject: [CentOS] Smart cards, mostly solved
So, it *seems* to be working, pretty much. I needed to install opensc, openct pcsc-lite, pcsc-lite-openct, and ctapi-common will be installed as a dependency.
Awesome.
I *removed* coolkey and esc, which depended on it. 100% of the time, they misidentifed the new/current US federal ID PIV-II cards as coolkey cards, and popped up this "phone home" window, then a "manage smartcards" window.
Without them, I also don't see an icon in the taskbar... but using ssh-add (actually, my manager built openssh, opensc and openct from current source, 5.4? 5.5?, and renamed stuff to piv-....), so I do piv-ssh-add -s opensc-pkcs11.so, and it adds the card. Before you do that... configure /etc/pam_pkcs11/pam_pkcs11.conf so that # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = opensc; and you may have to decide on a mapper. Then restart pcscd, and you should be good to go.
At any rate, no wrong/confusing windows, and logins work. I do note that if I try to use my regular password, I need to pull my card out of the reader.
I am going to try to duplicate this. With my CAC I got in October (should be a PIV II).
On a related note, from WinDoze, there's a version of putty that works <http://www.risacher.org/putty-cac/putty-cac-experimental/wind
ows/?C=N;O=D>.
Once installed, when you bring up the putty window, click on expand ssh, then click on pkcs. The one thing needed is the right dll, which, if you're running a 64 bit system, and using, say, ActivIdentity, c:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll
MAKE SURE you get the right .dll; if you're running 32 bit, it will be the other one.
Going to try this right now.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Jason Pyeron wrote:
[mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us
So, it *seems* to be working, pretty much. I needed to install opensc, openct pcsc-lite, pcsc-lite-openct, and ctapi-common will be installed as a dependency.
Awesome.
Glad to help. Don't see any reason for anyone else to tear out their hair, when there's a solution. Esp. given that this is a) all open source, and b) I work for a federal contractor, this is defined as public domain info.
I *removed* coolkey and esc, which depended on it. 100% of the time, they misidentifed the new/current US federal ID PIV-II cards as coolkey cards, and popped up this "phone home" window, then a "manage smartcards" window.
Without them, I also don't see an icon in the taskbar... but using ssh-add (actually, my manager built openssh, opensc and openct from current source, 5.4? 5.5?, and renamed stuff to piv-....), so I do piv-ssh-add -s opensc-pkcs11.so, and it adds the card. Before you do that... configure /etc/pam_pkcs11/pam_pkcs11.conf so that # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = opensc; and you may have to decide on a mapper. Then restart pcscd, and you should be good to go.
At any rate, no wrong/confusing windows, and logins work. I do note that if I try to use my regular password, I need to pull my card out of the reader.
I am going to try to duplicate this. With my CAC I got in October (should be a PIV II).
Try this, once you've got the reader plugged in, and pcscd running:
To list all the public certificates on a PIV card do
pkcs15-tool --list-public-keys
At this point, there are websites out there with more info on cert extraction and installation. Note that your security org should have a CA cert that you'll need to install.
On a related note, from WinDoze, there's a version of putty that works <http://www.risacher.org/putty-cac/putty-cac-experimental/wind
ows/?C=N;O=D>.
Once installed, when you bring up the putty window, click on expand ssh, then click on pkcs. The one thing needed is the right dll, which, if you're running a 64 bit system, and using, say, ActivIdentity, c:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll
MAKE SURE you get the right .dll; if you're running 32 bit, it will be the other one.
Going to try this right now.
Good luck.
mark
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jason Pyeron Sent: Wednesday, December 15, 2010 14:09 To: 'CentOS mailing list' Subject: Re: [CentOS] Smart cards, mostly solved
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us Sent: Wednesday, December 15, 2010 13:55 To: CentOS mailing list Subject: [CentOS] Smart cards, mostly solved
<snip/>
On a related note, from WinDoze, there's a version of putty
that works
<http://www.risacher.org/putty-cac/putty-cac-experimental/wind
ows/?C=N;O=D>.
Once installed, when you bring up the putty window, click on expand ssh, then click on pkcs. The one thing needed is the right
dll, which,
if you're running a 64 bit system, and using, say, ActivIdentity, c:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll
Works wonderfully, note the different path for the dll on my system.
Windows XP sp3 32bit
ActivClient for CAC - PKI Only 6.0 Build 6.00.00063
-- LIBRARY VERSION --
CSP Library: Name: accsp.dll Version: 4-0-0-7
P11 Library: Name: acpkcs211.dll (c:\WINDOWS\system32\acpkcs211.dll) Version: 4-0-0-12
BSI Library: Name: acbsi21.dll Version: 4-0-0-14
PIV Library: Name: acpivapi.dll Version: 4-0-0-2
MAKE SURE you get the right .dll; if you're running 32 bit,
it will be
the other one.
Going to try this right now.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Jason Pyeron wrote:
[mailto:centos-bounces@centos.org] On Behalf Of Jason Pyeron
[mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us
<snip/> > > On a related note, from WinDoze, there's a version of putty > that works > > <http://www.risacher.org/putty-cac/putty-cac-experimental/wind > ows/?C=N;O=D>. > > Once installed, when you bring up the putty window, click on expand > > ssh, then click on pkcs. The one thing needed is the right > > dll, which, if you're running a 64 bit system, and using, say,
ActivIdentity,
c:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll
Works wonderfully, note the different path for the dll on my system.
Windows XP sp3 32bit
ActivClient for CAC - PKI Only 6.0 Build 6.00.00063
<snip> Hey, Jason,
Maybe we should talk offlist, and come up with a HOWTO - there's got to be a *lot* of folks with the US gov't fighting this battle who are not DoD (some of their files and info are not available to us hoi polloi).
mark
-
Jason Pyeron -
m.roth@5-cent.us